It’s that time of year again – the moment when we take stock of the year that was, anticipate the one to come, and resolve to do things differently this time around. It’s a practice dating back to antiquity when early Romans made annual oaths to Janus, the two-faced god of chaos, transition, and change (a patron for 2020 if ever there was one).
But millennia of practice haven’t made us any better at it. Each year we struggle to make commitments that keep at least as long as the milk; studies show that 90% of us fail to keep our New Year’s resolutions for more than a few months. Mental health experts give perennial advice on how to do this, none of which should come as a surprise: set goals that are specific, realistic, and outcome-based; publicly commit to them, and build new habits in support. Above all, make promises that are important to you. Choose resolutions that are worth your interest and investment – goals that you’ll make time for, even when it’s in short supply.
If that sounds familiar, it should. In recent years, the U.S. Department of Justice has given similar advice in its Guidance for Evaluating Corporate Compliance Programs. Use risk assessments and lessons learned to identify problem areas and set targeted goals. Adopt performance-based metrics to measure the impact of your compliance practices. Conduct regular, periodic reviews to make informed updates. Gauge organizational commitment by how fully it funds and empowers its compliance function.
This year, consider taking a page from both psychologists and prosecutors by drafting New Year’s resolutions for your risk and compliance program that set your organization up for success:
Resolution #1: Conduct a Risk Assessment
A thorough risk assessment is at the core of every well-designed corporate compliance program. Compliance officers need to develop an informed risk profile that can serve as a basis for your program decision-making. Make sure your assessment has a coherent and consistent methodology for identifying, analyzing, and addressing the risks unique to your organization. Use metrics from across your organization to inform your assessment.
Next, put your assessment to use. Utilize the results to determine your resource allocation. Shift time and resources away from monitoring low-risk areas in favor of high-risk ones. Give special attention to third-party relationships, accounting for factors such as dollar amount, location, and the contracting party. Over-policing routine expenses and transactions can take valuable resources and attention away from proper scrutiny of high-risk ones, leaving your organization exposed (more on that in a bit).
Benchmark: Measure Your Program Performance Relative to Industry Peers
If you’ve already conducted a risk assessment, then make sure it is current and subject to review. Reviews should not be limited to “snapshots” of data – they must be informed by continuous access to operational data and information from across your organization. Use the results to update your policies, procedures, and controls. Remember, a review that results in no improvement is worth little more than no review at all.
Finally, develop a process for incorporating “lessons learned” into your periodic risk assessments, keeping track of exactly how you go about doing this. Include experiences from your prior issues as well as those of other companies in your industry and/or region.
Resolution #2: Cultivate Commitment by Senior and Middle Management
Gaining leadership support can often feel like a catch-22. Buy-in is often contingent on demonstrable results, which are the result of a well-supported compliance function. However, there are things risk and compliance officers can do to start garnering support.
The first is to make cultivating support a conscious goal. According to the 2020 Risk and Compliance Definitive Benchmark Report, most compliance professionals (63%) say they plan to do this at some point, but only a minority (39%) commit to doing it within the year. Those that do are significantly more likely to report superior program performance. As with any New Year’s resolution, the key is to make this commitment explicit, public, and measurable. Create specific, targeted markers and routinely assess your progress.
One of the best ways to encourage leadership support is to grab their attention. Involve and invest senior and middle managers in decision-making by asking them to serve on cross-functional committees. Regularly report on compliance results. Periodic board reporting is especially important; compliance professionals that regularly report to their Board of Directors are 2.2 times as likely to experience “good” to “excellent” program performance. Make sure that you have a solution for easily generating reports. Include analysis that allows you to measure your program performance relative to your industry peers.
Also, beware of “soft support.” In our 2020 Annual Risk and Compliance Benchmark Survey, 64% of R&C professionals said their programs had leadership support. However, fully a fifth of these went on to say that their leadership viewed their programs as insurance policies, rather than as strategic investments capable of producing a return on investment. This type of soft support leaves programs vulnerable when budget cuts and other priorities capture organizational focus. It’s also factually wrong. Multiple studies have shown that strong compliance programs can increase ROA, lower litigation costs and regulatory fines, and safeguard your reputational value.
Resolution #3: Implement a Risk-Based Approach to Regulatory Compliance
One of the most prominent messages embedded in the DOJ’s 2020 Guidance is the need for a risk-based approach to regulatory compliance. The document makes clear that prosecutors investigating your program will want to know if you devoted appropriate time and resources to high-risk transactions. They expect to see risk-based training, with tailored training for high-risk and control employees, as well as different or supplementary training for supervisory employees. They will review your third-party management process to see if you applied risk-based due diligence, ensuring that it corresponded to the nature and level of the enterprise risk identified by the company.
However, NAVEX Global’s survey results indicate that most compliance programs are still behind the curve. Fewer than half of all programs reported having a risk-based training program (47%) or risk-based due diligence and oversight for third parties (44%). This could be based in part on the fact that defining what a “risk-based approach” to compliance is can be difficult. In the NAVEX Next presentation How to Adopt A Risk-Based Approach to Regulatory Compliance, compliance experts Carrie Penman, Vera Cherepanova, and Scot Moritz give the following pieces of advice:
- Begin with a risk assessment. Just as we said at the outset, a thorough risk assessment is the foundation of a well-designed program. When conducting your assessment, make sure to take your time and gather meaningful, qualitative results that speak to the risks specific to your organization.
- Visualize your risks. Once you have the data from your risk assessment, play with it to paint a bigger picture. Categorize your risks and see if they begin to cluster around a given area. Chart them along the axes of likelihood and impact.
- Include stakeholders. Take care to identify all stakeholder risks during your assessment, and use the results to start, inform, and improve conversations with them. Pay particular attention to your board of directors, regulators, and business operations leaders.
When it comes to risk-based training, create a training plan to map out audience-specific training. Also, use microlearning courses to supplement your core training. As our recent benchmark shows, microlearning is a hallmark of advanced compliance programs and is strongly associated with program success.
Finally, make sure to screen and continuously monitor your third parties to identify which of your third parties require the most attention. Fortunately, third-party screening is on the rise, with 62% of respondents saying they now screen for high-risk partners. However, continuous monitoring – which the DOJ took extra care to emphasize in 2020 – is still lagging, with only a third of programs saying they do so. Make sure your third-party risk management solution is capable of both these critical functions.
These targeted, realistic, and measurable resolutions can help give you a strong start to the new year. Just remember – the most important factor in determining a resolution’s success is personal investment. The more these commitments matter to you, the more likely you are to keep them. So, take the time to take these resolutions on and hopefully the next time the god of chaos comes for his due, you’ll be prepared.